Re: how to deal with port scan and brute force attack from AS 8075 ?

Bacon Zombie Thu, 31 Mar 2016 02:38:25 -0700

I would ignore the portscans since there is nothing wrong with portscanning
the Internet.


Install fail2ban {don't forgot to whitelist your management static IPs}.

You may want to increase the default bantime and findtime {how far back to
search logs}.

On 31 Mar 2016 11:06, "Todd Crane" <todd.cr...@n5tech.com> wrote:

> I must have missed that… my bad.
>
>
> > On Mar 31, 2016, at 2:01 AM, Dan Hollis <goe...@sasami.anime.net> wrote:
> >
> > It's right there in his email:
> >
> > "We have sent email to ab...@microsoft.com, but no answer."
> >
> > -Dan
> >
> > On Thu, 31 Mar 2016, Todd Crane wrote:
> >
> >> Oh and,
> >>
> >> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool,
> not to mention unprofessional, to publicly call them out on such a public
> forum without giving them an opportunity to correct it first.
> >>
> >>> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.cr...@n5tech.com> wrote:
> >>>
> >>> Marcel
> >>>
> >>> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>>
> >>> -Todd
> >>>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog@nanog.org> wrote:
> >>>>
> >>>> Dear Nanog'er,
> >>>>
> >>>> We are facing a lot of port scan and brute force attack on port 22
> (but
> >>>> not limited to) from Microsoft AS 8075 range toward our own infra, or
> >>>> toward our customers.
> >>>> We have sent email to ab...@microsoft.com, but no answer.
> >>>>
> >>>> source ip are:
> >>>> NetRange:       40.74.0.0 - 40.125.127.255
> >>>> CIDR:           40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> >>>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12,
> 40.120.0.0/14
> >>>> NetName:        MSFT
> >>>>
> >>>>
> >>>>
> >>>> We consider port scan and brute force on ssh port as an attack, and
> even
> >>>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> >>>> host, and so one).
> >>>>
> >>>> It's one thing to propose services and make money over an infra, it's
> an
> >>>> other thing to take care that you clients do not use this infra to
> make
> >>>> illegal stuffs.
> >>>>
> >>>>
> >>>> How do you deal with such massive amount of 'illegal' traffic ?
> >>>>
> >>>> Thank,
> >>>> Best Regards
> >>>> Marcel
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> He are some examples (we have more than 3000 such packets per day just
> >>>> from them, probably Azure), and source ip is always differents of
> course:
> >>>>
> >>>>
> >>>> Flow Filtering Expression
> >>>> src AS 8075 and dst port 22 and packets=1
> >>>> Limit Flows
> >>>> 40000
> >>>> Sorting
> >>>> By Date
> >>>>
> >>>> Date_first_seen          Duration Proto     _IP_Addr:Port
> >>>> Dst_IP_Addr:Port   Flags Packets
> >>>> 2016-02-29 14:55:20.108     0.000 6    104.45.210.69:1160  ->
> >>>> x.x.231:22    ......      1
> >>>> 2016-02-29 14:55:20.611     0.000 6    104.45.210.69:1161  ->
> >>>> x.x.231:22    ......      1
> >>>> 2016-02-29 14:56:41.004     0.000 6     40.76.55.204:1090  ->
> >>>> x.x..14:22    ......      1
> >>>> 2016-02-29 14:56:41.324     0.000 6     40.76.55.204:1091  ->
> >>>> x.x..14:22    ......      1
> >>>> 2016-02-29 15:00:05.670     0.000 6     40.76.55.204:1088  ->
> >>>> x.x.125:22    ......      1
> >>>> 2016-02-29 15:00:06.003     0.000 6     40.76.55.204:1089  ->
> >>>> x.x.125:22    ......      1
> >>>> 2016-02-29 15:01:17.358     0.000 6      40.76.70.58:1168  ->
> >>>> x.x..80:22    ......      1
> >>>> 2016-02-29 15:01:17.676     0.000 6      40.76.70.58:1169  ->
> >>>> x.x..80:22    ......      1
> >>>> 2016-02-29 15:02:42.637     0.000 6     40.76.55.204:1176  ->
> >>>> x.x.193:22    ......      1
> >>>> 2016-02-29 15:02:42.878     0.000 6     40.76.55.204:1177  ->
> >>>> x.x.193:22    ......      1
> >>>> 2016-02-29 15:02:48.067     0.000 6    104.45.210.69:1160  ->
> >>>> x.x.173:22    ......      1
> >>>> 2016-02-29 15:02:48.394     0.000 6    104.45.210.69:1161  ->
> >>>> x.x.173:22    ......      1
> >>>> 2016-02-29 15:03:18.854     0.000 6    40.121.53.153:1041  ->
> >>>> x.x..88:22    ......      1
> >>>> 2016-02-29 15:03:19.172     0.000 6    40.121.53.153:1042  ->
> >>>> x.x..88:22    ......      1
> >>>> 2016-02-29 15:06:36.248     0.000 6     40.76.55.204:1056  ->
> >>>> x.x..45:22    ......      1
> >>>> 2016-02-29 15:07:31.882     0.000 6      40.76.80.17:44895 ->
> >>>> x.x..75:22    ......      1
> >>>> 2016-02-29 15:07:32.245     0.000 6      40.76.80.17:44896 ->
> >>>> x.x..75:22    ......      1
> >>>> 2016-02-29 15:09:08.433     0.000 6      40.76.70.58:1168  ->
> >>>> x.x..31:22    ......      1
> >>>> 2016-02-29 15:09:08.744     0.000 6      40.76.70.58:1169  ->
> >>>> x.x..31:22    ......      1
> >>>> 2016-02-29 15:11:45.668     0.000 6      40.76.80.17:47993 ->
> >>>> x.x.157:22    ......      1
> >>>> 2016-02-29 15:11:45.987     0.000 6      40.76.80.17:47994 ->
> >>>> x.x.157:22    ......      1
> >>>> 2016-02-29 15:12:09.543     0.000 6      40.76.70.58:1168  ->
> >>>> x.x..24:22    ......      1
> >>>> 2016-02-29 15:12:09.925     0.000 6      40.76.70.58:1169  ->
> >>>> x.x..24:22    ......      1
> >>>> 2016-02-29 15:17:05.920     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.243:22    ......      1
> >>>> 2016-02-29 15:17:06.241     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.243:22    ......      1
> >>>> 2016-02-29 15:19:21.364     0.000 6    40.83.121.211:62936 ->
> >>>> x.x..81:22    ......      1
> >>>> 2016-02-29 15:19:21.704     0.000 6    40.83.121.211:62937 ->
> >>>> x.x..81:22    ......      1
> >>>> 2016-02-29 15:19:45.891     0.000 6      40.76.70.58:1168  ->
> >>>> x.x..39:22    ......      1
> >>>> 2016-02-29 15:19:46.273     0.000 6      40.76.70.58:1169  ->
> >>>> x.x..39:22    ......      1
> >>>> 2016-02-29 15:21:52.030     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.120:22    ......      1
> >>>> 2016-02-29 15:21:52.349     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.120:22    ......      1
> >>>> 2016-02-29 15:24:07.614     0.000 6     40.76.55.204:1048  ->
> >>>> x.x.237:22    ......      1
> >>>> 2016-02-29 15:24:07.933     0.000 6     40.76.55.204:1128  ->
> >>>> x.x.237:22    ......      1
> >>>> 2016-02-29 15:27:31.289     0.000 6    40.121.53.153:1041  ->
> >>>> x.x.133:22    ......      1
> >>>> 2016-02-29 15:27:31.544     0.000 6    40.121.53.153:1042  ->
> >>>> x.x.133:22    ......      1
> >>>> 2016-02-29 15:27:59.120     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.9.3:22    ......      1
> >>>> 2016-02-29 15:27:59.440     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.9.3:22    ......      1
> >>>> 2016-02-29 15:29:30.933     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.211:22    ......      1
> >>>> 2016-02-29 15:29:31.031     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.211:22    ......      1
> >>>> 2016-02-29 15:29:33.729     0.000 6     40.76.55.204:1142  ->
> >>>> x.x.166:22    ......      1
> >>>> 2016-02-29 15:29:34.032     0.000 6     40.76.55.204:1143  ->
> >>>> x.x.166:22    ......      1
> >>>> 2016-02-29 15:31:41.947     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.137:22    ......      1
> >>>> 2016-02-29 15:31:42.266     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.137:22    ......      1
> >>>> 2016-02-29 15:32:10.044     0.000 6    40.121.53.153:1041  ->
> >>>> x.x..71:22    ......      1
> >>>> 2016-02-29 15:32:10.348     0.000 6    40.121.53.153:1042  ->
> >>>> x.x..71:22    ......      1
> >>>> 2016-02-29 15:32:10.442     0.000 6    104.45.210.69:1161  ->
> >>>> x.x.246:22    ......      1
> >>>> 2016-02-29 15:32:10.475     0.000 6    104.45.210.69:1160  ->
> >>>> x.x.246:22    ......      1
> >>>> 2016-02-29 15:32:29.165     0.000 6   40.121.143.132:1040  ->
> >>>> x.x..62:22    ......      1
> >>>> 2016-02-29 15:32:29.466     0.000 6   40.121.143.132:1041  ->
> >>>> x.x..62:22    ......      1
> >>>> 2016-02-29 15:37:07.616     0.000 6      40.76.80.17:56902 ->
> >>>> x.x..51:22    ......      1
> >>>> 2016-02-29 15:37:07.925     0.000 6      40.76.80.17:56903 ->
> >>>> x.x..51:22    ......      1
> >>>> 2016-02-29 15:40:04.546     0.000 6    40.121.53.153:1041  ->
> >>>> x.x.186:22    ......      1
> >>>> 2016-02-29 15:40:04.866     0.000 6    40.121.53.153:1042  ->
> >>>> x.x.186:22    ......      1
> >>>> 2016-02-29 15:40:28.870     0.000 6      40.76.70.58:1168  ->
> >>>> x.x.171:22    ......      1
> >>>> 2016-02-29 15:40:29.125     0.000 6      40.76.70.58:1169  ->
> >>>> x.x.171:22    ......      1
> >>>> 2016-02-29 15:41:57.034     0.000 6     40.76.55.204:1128  ->
> >>>> x.x.181:22    ......      1
> >>>> 2016-02-29 15:41:57.354     0.000 6     40.76.55.204:1176  ->
> >>>> x.x.181:22    ......      1
> >>>>
> >>>>
> >>>> 2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.163:22    ......      1
> >>>> 2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.176:22    ......      1
> >>>> 2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.206:22    ......      1
> >>>> 2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.158:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.185:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.251:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.255:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.141:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.136:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.235:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.242:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.240:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.100:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.244:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.217:22    ......      1
> >>>> 2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..72:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.221:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.5.4:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.150:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.145:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.119:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..52:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..75:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.127:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..22:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..77:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.246:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x.137:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..85:22    ......      1
> >>>> 2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
> >>>> x.x..35:22    ......      1
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
>
>

Re: how to deal with port scan and brute force attack from AS 8075 ?

Reply via email to